Skip to main content
HashnodeCiaran Doherty's SecOps Blog

Command Palette

Search for a command to run...

LAPS: The Local Administrator Password Solution For Windows Devices In Entra ID.

Updated
2 min read
LAPS: The Local Administrator Password Solution For Windows Devices In Entra ID.
C
Ciaran Doherty, AfCIIS, MBCS

Overview.

Prerequisites.

Join types.

LAPS is only supported on:

  • Microsoft Entra joined devices.

  • Microsoft Entra hybrid joined devices.

Microsoft Entra registered devices are not supported.

License requirements.

LAPS is available to all customers with Microsoft Entra ID Free or higher licenses. Other related features like administrative units, custom roles, Conditional Access, and Intune have other licensing requirements.

Required roles and permissions.

Other than the built-in Microsoft Entra roles like Cloud Device Administrator and Intune Administrator that are granted device.LocalCredentials.Read.All, you can use Microsoft Entra custom roles or administrative units to authorise local administrator password recovery.

Enabling Windows LAPS Within Microsoft Entra ID.

To enable Windows LAPS with Microsoft Entra ID, you must take actions in Microsoft Entra ID and the devices you wish to manage. We recommend organizations manage Windows LAPS using Microsoft Intune. If your devices are Microsoft Entra joined but not using or don't support Microsoft Intune, you can deploy Windows LAPS for Microsoft Entra ID manually. For more information, see the article Configure Windows LAPS policy settings.

  1. Sign in to the Microsoft Entra admin center as at least a Cloud Device Administrator.

  2. Navigate to Entra ID > Devices > Overview > Device Settings.

  3. Select Yes for the Enable Local Administrator Password Solution (LAPS) setting, then select Save. You might also use the Microsoft Graph API Update deviceRegistrationPolicy to complete this task.

Deploying Windows LAPS Using Microsoft Intune.

Ensure the prerequisites for Intune to support Windows LAPS in your tenant are met before creating policies. Intune's LAPS policies don't create new accounts or passwords. Instead, they manage an account that's already on the device.

  1. Sign in to the Microsoft Intune admin center and go to Endpoint security > Account protection, and then select Create policy.

  2. Set the Platform to Windows, Profile to Local admin password solution (Windows LAPS), and then select Create.

Monitoring LAPS Password Access Via Microsoft Sentinel/Defender XDR.

References.

Use Windows Local Administrator Password Solution (LAPS) with Microsoft Entra ID - Microsoft Entra ID | Microsoft Learn

Deploy Intune policies to manage Windows LAPS - Microsoft Intune | Microsoft Learn

7 views

More from this blog

Ciaran Doherty's SecOps Blog

24 posts